Artwork for podcast 10 Questions to Cyber Resilience
How to Succeed in Ethical Hacking, with Laurent Deslauriers
Episode 115th September 2023 • 10 Questions to Cyber Resilience • Assurance IT
00:00:00 00:23:53

Share Episode

Shownotes

Assurance IT invited our favorite ethical hacker, Laurent Desaulniers. In this episode, Laurent Desaulniers, Security Cloud Manager, and co-founder of Assurance IT, Luigi Tiano, discuss:

1. What does ethical hacking really mean?

2. Should pentests be done multiple times per year?

3. Who was Mafia Boy?

4. How did he give ethical hacking a bad name?

5. What will the lack of IT talent result in?

6. The truth behind the ethical hacking community

7. What are some ways to get started in ethical hacking?

8. How do you identify great hacking talent?

9. The #1 question to ask ethical hackers in interviews.

10. How much money you can make as an ethical hacker.

BONUS TOPICS

What schools should really be teaching about tech?

Resources for learning cyber security.



Resources:

Laurent Desaulniers’s LinkedIn: https://www.linkedin.com/in/laurentdesaulniers/

Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/

Assurance IT Website: http://www.assuranceit.ca/



About Laurent Desaulniers:

Laurent Desaulniers combines a strong technical experience with creative thinking to achieve elegant solutions with a passion for security, especially forensic, web and penetration testing.


Laurent Desaulniers is knowledgeable in the following technologies :


- Operating systems: Linux (Ubuntu/Debian) , Windows (2008, 2003 Server, Windows 2000 Server), Cisco IOS

- Programming languages: PHP, Javascript, Python, Java (J2EE, EJB3, Servlet, Swing), JSP, Struts

- Framework: PCI-DSS, ISO-27001, ISO27034, ISO17799, ISO13335, ITIL, COBIT.

- Methodology: OSSTM, OWASP, OCTAVE

- Security: IDS systems, Honeypots, Penetration Testing


Specialties: Forensic, Web application intrusion, Vulnerability Analysis



About 10 Questions to Cyber Resilience:

Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.



About Assurance IT:

Assurance IT (www.assuranceit.ca) specializing in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.

Transcripts

Speaker:

Thanks for joining us here

Speaker:

today, Laurent, on our podcast.

Speaker:

Really excited to have you on.

Speaker:

Let's go ahead and start Laurent.

Speaker:

Who are you, what do

Speaker:

you do, and what got you

Speaker:

to where you are today?

Speaker:

So my name is Laurent Desaulniers.

Speaker:

I'm a vice president at GoSecure.

Speaker:

I manage two teams, so I manage

Speaker:

the incident response team as well

Speaker:

as the penetration testing team.

Speaker:

So I have a team that breaks

Speaker:

into building applications that

Speaker:

does all the hacking stuff.

Speaker:

Whereas I have a team that answers

Speaker:

this problem and try to solves

Speaker:

it on behalf of our client.

Speaker:

So that's basically it.

Speaker:

What I'm doing I've been doing

Speaker:

this for 15 to 20 years, depending

Speaker:

how you count and I've been

Speaker:

also been lucky to be allowed

Speaker:

to teach, so I've taught this in

Speaker:

three universities in Montreal.

Speaker:

So that's pretty much all there is.

Speaker:

And who do you work

Speaker:

for today, Laurent?

Speaker:

I work for GoSecure which is

Speaker:

a MXDR and a service company.

Speaker:

So we're doing pen testing

Speaker:

and also managing xdr.

Speaker:

So managing all the endpoints and

Speaker:

making detection and response.

Speaker:

I noticed that if I look back

Speaker:

at your profile, you've been

Speaker:

doing this a very long time.

Speaker:

And you're actually

Speaker:

pretty young guy.

Speaker:

So it's pretty interesting.

Speaker:

You've probably seen a

Speaker:

tremendous evolution of

Speaker:

security happen over the years.

Speaker:

My first question I have

Speaker:

for you is a lot of people

Speaker:

talk about ethical hacking.

Speaker:

So can, can Laurent really

Speaker:

simplify what is ethical hacking?

Speaker:

So ethical hacking, ethical

Speaker:

is at least important, if not

Speaker:

much more so than hacking.

Speaker:

So what we're doing mostly is

Speaker:

being hired to break into a system.

Speaker:

And we do it based on what are

Speaker:

called rules of engagement.

Speaker:

So we make sure we follow, respect

Speaker:

the rules, we don't actually

Speaker:

break things for the client,

Speaker:

and that's what we're doing.

Speaker:

The ethical aspect though

Speaker:

is super important.

Speaker:

Think about the level of trust

Speaker:

the company needs to have in

Speaker:

you, to allow you to perform

Speaker:

these type of tests or get access

Speaker:

to passport data or get access

Speaker:

to social security numbers.

Speaker:

As a tester, you need to be

Speaker:

above doubt and above suspicion

Speaker:

for any form of testing, and

Speaker:

that's the only way you can

Speaker:

get business is by being above

Speaker:

reproach and above any doubt

Speaker:

regarding your ethical integrity.

Speaker:

So in ethical hacking, there's a

Speaker:

hacking part and ethical part, and

Speaker:

some of it is what we're doing.

Speaker:

And in your opinion, ethical

Speaker:

hacking, does this apply to

Speaker:

small business, large business?

Speaker:

Who should be taking on

Speaker:

or actually requesting an

Speaker:

ethical hacking service?

Speaker:

Nowadays we see more and

Speaker:

more pen testing performed

Speaker:

across all systems.

Speaker:

It started more in the

Speaker:

where there was money.

Speaker:

So banks, for example, like early

Speaker:

2000, mostly banks and militaries

Speaker:

were performing pen testing.

Speaker:

Now with compliance framework

Speaker:

and people say Bill 25 in Quebec

Speaker:

but there's one in British Columbia

Speaker:

as well that now makes it mandatory

Speaker:

to have protection, there's gdpr.

Speaker:

So now there's more

Speaker:

and more privacy based

Speaker:

compliance rules and laws.

Speaker:

That is one reason why there

Speaker:

is more and more pen testing.

Speaker:

Same for credit card data

Speaker:

compliance based like P C

Speaker:

I, for example, that also

Speaker:

makes pen testing mandatory

Speaker:

for these industries.

Speaker:

So I think the main drive

Speaker:

across organizations for pen

Speaker:

testing is still compliance, but

Speaker:

we're seeing now more and more

Speaker:

companies doing risk management,

Speaker:

they don't wanna do it just to

Speaker:

comply to the framework, but

Speaker:

they wanna do it to find their

Speaker:

actual risk and be able to find

Speaker:

ways to mitigate these problems,

Speaker:

mitigate their risk.

Speaker:

We see that often now.

Speaker:

And oftentimes you

Speaker:

mentioned compliance.

Speaker:

We're seeing a lot more from the

Speaker:

cyber insurance perspective where

Speaker:

cyber insurance companies are

Speaker:

forcing companies who may not have

Speaker:

the same maturity level as those

Speaker:

companies you mentioned earlier.

Speaker:

The cyber insurance companies

Speaker:

are forcing enterprises to

Speaker:

just become more mature.

Speaker:

And Ethical hacking is obviously

Speaker:

a fundamental way for companies

Speaker:

to really get an understanding of

Speaker:

where they are in their process.

Speaker:

Is that an accurate statement?

Speaker:

It's absolutely correct.

Speaker:

Insurance has been a big

Speaker:

driver, but there's a big

Speaker:

change in cyber insurance.

Speaker:

I think the industry is becoming

Speaker:

more mature and few years ago

Speaker:

it was you sign a contract,

Speaker:

sent a file, you were done.

Speaker:

Now there's much more audits to

Speaker:

subscribe to cyber insurance,

Speaker:

and I think it's a good

Speaker:

thing that all these controls

Speaker:

are in place better prevent

Speaker:

I, I agree with that.

Speaker:

And to your point, I think it's

Speaker:

gonna be more difficult and I

Speaker:

think it's gonna be more rigor.

Speaker:

And I think it won't be one

Speaker:

time a year where you sign off,

Speaker:

it'll be multiple times a year

Speaker:

and then on a regular basis to

Speaker:

make sure that you're actually

Speaker:

keeping those controls in place.

Speaker:

I think that's where

Speaker:

we're gonna see more.

Speaker:

I don't think the insurance

Speaker:

companies have what it takes

Speaker:

to do that repetitively

Speaker:

often enough to make sure

Speaker:

their customers are in line.

Speaker:

But I think at some level

Speaker:

we're gonna see more of that.

Speaker:

I wanna stick in the ethical

Speaker:

hacking vein because you and I

Speaker:

obviously, raised in Quebec here.

Speaker:

And there's a very famous

Speaker:

individual who I guess,

Speaker:

Maybe made ethical hacking a

Speaker:

little bit famous earlier on.

Speaker:

And so ethical hackers,

Speaker:

sometimes get a bad reputation.

Speaker:

And we have a local famous

Speaker:

character named Mafia Boy.

Speaker:

For those who don't know,

Speaker:

maybe can you remind us,

Speaker:

what Mafia Boy did and how he

Speaker:

impacted the industry today?

Speaker:

So Michael Calce AKA Mafia

Speaker:

boy was the teen in Ile Bizard

Speaker:

Montreal, who performed denial

Speaker:

of service on many systems.

Speaker:

Yahoo was very big at a

Speaker:

time and Yahoo was down

Speaker:

thanks to his efforts.

Speaker:

Same for eBay was also down, so he

Speaker:

brought down lots of systems using

Speaker:

distributed denial of service.

Speaker:

If I had to qualify the

Speaker:

threat Michael Calce was

Speaker:

on the lower end of sophistication,

Speaker:

he used a tool and there was

Speaker:

little to no privacy impact that

Speaker:

he didn't show much, although we

Speaker:

can all agree impact was high.

Speaker:

This is not what I would

Speaker:

call ethical hacking,

Speaker:

nor ethical, by the way.

Speaker:

Cause there were no prior

Speaker:

permissions nor hacking per

Speaker:

se, as he mostly used the tool.

Speaker:

So there's no discovery, no impact

Speaker:

analysis, none of these things.

Speaker:

But it's really interesting

Speaker:

because when you look

Speaker:

into end of the century.

Speaker:

So like the 1990s that's

Speaker:

how you got hired.

Speaker:

So at that point, if you hacked

Speaker:

into NASA and you got caught and

Speaker:

you spent a few months or years in

Speaker:

jail, then they knew you were good.

Speaker:

Obviously you hacked into NASA.

Speaker:

One could argue that if

Speaker:

you got caught, perhaps

Speaker:

you weren't so good.

Speaker:

But at that point, that's

Speaker:

how the business worked.

Speaker:

keep in mind, there were no

Speaker:

certifications at that point.

Speaker:

There was no frameworks of ethics.

Speaker:

It was barely known now the

Speaker:

industry has really evolved.

Speaker:

Nowadays,

Speaker:

there are CTFs, there are

Speaker:

certification, there are

Speaker:

mentorship, there are schools.

Speaker:

there are Bug Bounties.

Speaker:

There's lots of ways for people

Speaker:

to show their skills but at that

Speaker:

time, that's how people got hired

Speaker:

was by breaking into systems.

Speaker:

It's a really different it's

Speaker:

not 30 more years ago, but yeah.

Speaker:

That's how people got it.

Speaker:

Yeah.

Speaker:

People forget.

Speaker:

So Mafia Boy, I think he hit those

Speaker:

companies in I think 2000, right?

Speaker:

Yeah.

Speaker:

And the probably there wasn't the

Speaker:

level of sophistication in terms

Speaker:

of security as there is today.

Speaker:

And to your point, I think

Speaker:

his attack was a really low

Speaker:

level, not really sophisticated

Speaker:

way of attacking systems.

Speaker:

That's absolutely correct.

Speaker:

And that's how we've seen that

Speaker:

the industry evolve over time.

Speaker:

We talk a lot about ethical

Speaker:

hacking and the, the

Speaker:

industry and, and the field.

Speaker:

From my vantage point and, talking

Speaker:

with customers and, I wanna

Speaker:

get your perspective on this

Speaker:

is there a shortage of talent

Speaker:

out there today as we speak?

Speaker:

There's a shortage in

Speaker:

ethical hacking, but there's

Speaker:

a shortage in governance.

Speaker:

There's a shortage in architecture.

Speaker:

There's a shortage in CIS admins,

Speaker:

in DBAs, in software developers.

Speaker:

Yeah, there's lots of shortages

Speaker:

and these things have an

Speaker:

impact because say you have

Speaker:

your system administrators have

Speaker:

more work then perhaps patching or

Speaker:

security configuration will be less

Speaker:

of a priority over other things

Speaker:

that are either more related to

Speaker:

the mission or of the organization

Speaker:

or more business critical.

Speaker:

So that opens more

Speaker:

doors for a hacker.

Speaker:

So your threat increases.

Speaker:

So not only I feel not enough

Speaker:

people to perform these

Speaker:

tests and it's difficult to

Speaker:

come with the right level of

Speaker:

training, but also the lack

Speaker:

of the database administrator.

Speaker:

System administrator

Speaker:

also opens more door.

Speaker:

So it's like a catch 22 where the

Speaker:

lack of people creates a problem.

Speaker:

Interesting.

Speaker:

And then we see that

Speaker:

across the board.

Speaker:

So if we look at specifically

Speaker:

though ethical hacking, cause we

Speaker:

wanna educate our audience here.

Speaker:

Ethical hacking.

Speaker:

How has that progressed from

Speaker:

your early days till now?

Speaker:

Have you seen an uptick or

Speaker:

an increase in interest?

Speaker:

Is it a domain where, it's

Speaker:

easy to access the tools.

Speaker:

There's obviously a growing

Speaker:

community, so maybe talk

Speaker:

to us a little bit about

Speaker:

how ethical hacking is

Speaker:

progress in the community.

Speaker:

Let me first say that the

Speaker:

community in Canada is amazing.

Speaker:

It's really something

Speaker:

we ought to be proud of.

Speaker:

Now there are many ways

Speaker:

to break into computer

Speaker:

security and to learn.

Speaker:

One problem that I feel is

Speaker:

what is called gatekeeping.

Speaker:

So since security is considered

Speaker:

to be very important or mission

Speaker:

critical, we quite often see

Speaker:

job posting for a entry level

Speaker:

pen tester that require five

Speaker:

to seven years of experience,

Speaker:

and that's a bit insane.

Speaker:

After five to seven

Speaker:

years, in theory, you're

Speaker:

not a beginner anymore.

Speaker:

So there's lots of gating.

Speaker:

It's quite difficult to break into

Speaker:

computer security because of the

Speaker:

way these job postings are made and

Speaker:

also because the way people learn.

Speaker:

Not all pen testers

Speaker:

have bachelor degrees.

Speaker:

Thankfully, computer security

Speaker:

is something that can be

Speaker:

learned by on your own with

Speaker:

CTFs or capture the flags with

Speaker:

competitions, with bug bounties,

Speaker:

with training online, like

Speaker:

Hack the Box for example.

Speaker:

That's a website where you

Speaker:

can learn to hack systems.

Speaker:

So there's lots of ways for people

Speaker:

to learn it by themselves and

Speaker:

be very good despite not having

Speaker:

a bachelor or master degrees.

Speaker:

But with HR oftentimes,

Speaker:

it doesn't match that the

Speaker:

requirement oftentimes are for

Speaker:

diplomas, and this is not what

Speaker:

all typical pen testers have.

Speaker:

There's also certifications.

Speaker:

I'm a big proponent of a

Speaker:

certification called O S C

Speaker:

P, the Offensive Security

Speaker:

Certified Professional.

Speaker:

It's a hands-on exam and all the

Speaker:

testers on my team are OSCPs.

Speaker:

It's a requirement for my

Speaker:

team cuz it's hands-on.

Speaker:

So it sets the level, but

Speaker:

that's one way also to learn.

Speaker:

But there are also communities.

Speaker:

So in Montreal there's

Speaker:

MontréHack, that's a monthly

Speaker:

security training, evening.

Speaker:

There are DEFCON 416 in Toronto.

Speaker:

There's a very big community

Speaker:

in Vancouver as well.

Speaker:

So there's lots of groups

Speaker:

where you can learn.

Speaker:

Now there's mentor-mentee.

Speaker:

In Quebec we have Academos

Speaker:

where we have lots of people

Speaker:

who are there to help answer

Speaker:

questions and be a mentor.

Speaker:

There are mentorship

Speaker:

opportunities as well.

Speaker:

So there's lots of ways

Speaker:

to get to know people and

Speaker:

get to know the business.

Speaker:

And there's also

Speaker:

special interest group.

Speaker:

There's ekka for people doing

Speaker:

audit, there's OWASP, there's

Speaker:

OWASP Toronto there, OWASP

Speaker:

Ottawa for example, that are

Speaker:

groups that focus on AppSec.

Speaker:

That is also a good way to

Speaker:

learn and get to know people.

Speaker:

Yeah you've shared a lot of

Speaker:

information and what we'll do

Speaker:

is I'll probably ask you to

Speaker:

send us some of those links,

Speaker:

so we can include them in the

Speaker:

post, cuz that's important.

Speaker:

I didn't know there was such

Speaker:

a huge community out there

Speaker:

and it is a really important

Speaker:

role in the enterprise today.

Speaker:

And I'll just touch

Speaker:

on something you said.

Speaker:

So you're big on certifications.

Speaker:

Frankly I believe the same thing.

Speaker:

Obviously school going through

Speaker:

the proper channels in the school

Speaker:

obviously is really important.

Speaker:

But I think in our field,

Speaker:

if you're not constantly

Speaker:

improving yourself, you can

Speaker:

get outdated pretty quickly.

Speaker:

So those certifications,

Speaker:

are proving to your, to your

Speaker:

employer and to your clients

Speaker:

that you're able to keep

Speaker:

up with the industry trends

Speaker:

because they are ever changing

Speaker:

as we've seen in our business.

Speaker:

But it's one way cause

Speaker:

sometimes training as well is

Speaker:

a way that doesn't necessarily

Speaker:

lead to certification.

Speaker:

But say, when I look at the resume

Speaker:

things for me that are a big plus

Speaker:

are capture the flag experience.

Speaker:

So CTFs, I briefly talked about it,

Speaker:

it's a right hacking competition

Speaker:

where you get to hack things

Speaker:

legally that are made to be hacked.

Speaker:

And so there are

Speaker:

lots of competition.

Speaker:

One is very big in

Speaker:

Montreal called NorthSec.

Speaker:

There's Defcon,

Speaker:

there's a quite a few.

Speaker:

So for me, having

Speaker:

hands-on CTF experience is

Speaker:

something I'm looking at.

Speaker:

But also like GitHub.

Speaker:

So if you have a GitHub

Speaker:

or GitLab account and you

Speaker:

commit code, then you make

Speaker:

changes, it shows your skill.

Speaker:

You're not just saying,

Speaker:

I'm a developer.

Speaker:

We can read your code, we

Speaker:

can see what you've done.

Speaker:

Being in the community is

Speaker:

also something that I look at.

Speaker:

And these are all techniques

Speaker:

where you can show growth.

Speaker:

It's also a common

Speaker:

interview question.

Speaker:

How do you keep up to

Speaker:

date in IT security?

Speaker:

I pretty much ask it in

Speaker:

every interview and you

Speaker:

get interesting answers.

Speaker:

The one you don't wanna

Speaker:

answer is, oh, I don't know.

Speaker:

I don't need to or don't follow.

Speaker:

Yeah, not a good answer.

Speaker:

It makes your day a lot

Speaker:

easier and a lot quicker.

Speaker:

I can understand that.

Speaker:

When did you participate in

Speaker:

your first capture the flag?

Speaker:

in, In 2000?

Speaker:

Was there a lot of these?

Speaker:

When did they start

Speaker:

coming into light?

Speaker:

So the team I was with and myself

Speaker:

started perhaps early 2007.

Speaker:

I think.

Speaker:

So there was a competition in

Speaker:

Montreal called, Boule de cristal.

Speaker:

We did a competition in Germany

Speaker:

that was very difficult.

Speaker:

I was at ets or local

Speaker:

University of Montreal.

Speaker:

But the competition was in Germany.

Speaker:

It was insane.

Speaker:

I think, there were 300 teams and I

Speaker:

think we finished 295 or something.

Speaker:

We were really bad at that point.

Speaker:

And we grew from this.

Speaker:

We did the Firefox

Speaker:

CTF we finished first.

Speaker:

We did the Defcon Quals,

Speaker:

so those are very large

Speaker:

competitions and then we

Speaker:

started doing more and more.

Speaker:

At some point, we did one

Speaker:

every other weekend roughly.

Speaker:

And that's how we kept doing ctf.

Speaker:

Now I'm an organizer of a ctf.

Speaker:

Now I'm on the other side.

Speaker:

Congratulations.

Speaker:

It looks like you're really

Speaker:

involved in the community, and I

Speaker:

think we need more individuals like

Speaker:

that, dedicated people, because, I

Speaker:

think it's a win-win first of all.

Speaker:

Obviously you're giving back

Speaker:

to the community, but if you're

Speaker:

looking for talent, you're in the

Speaker:

mix of it all the time, right?

Speaker:

So you know who the top

Speaker:

players could potentially

Speaker:

be, which is amazing.

Speaker:

As an ethical hacker,

Speaker:

obviously you don't start off

Speaker:

day one as ethical hacker.

Speaker:

I think as you mentioned, you

Speaker:

need to build your experience.

Speaker:

So what does a career look

Speaker:

like and what can an ethical

Speaker:

hacker earn on average?

Speaker:

And I know it's a tough question,

Speaker:

but if you can answer that.

Speaker:

So these amounts are set in

Speaker:

Canada because in United States

Speaker:

or with very large companies, I

Speaker:

know that the Microsoft of these

Speaker:

worlds, or Amazon of these worlds

Speaker:

sometimes have much bigger salary.

Speaker:

But in Canada, roughly, an

Speaker:

entry level pen tester will do

Speaker:

roughly 70 to 75,000 a year.

Speaker:

Mid-level, I'd say a hundred, 110.

Speaker:

And I think the more senior

Speaker:

10, 15 years, it might go up

Speaker:

to 160,000 a year roughly.

Speaker:

That's a very good living.

Speaker:

That's a very good living.

Speaker:

It's okay.

Speaker:

There are outliers though,

Speaker:

for example, bug bounty.

Speaker:

So bug bounty is when some

Speaker:

companies pay you to hack.

Speaker:

They only pay if

Speaker:

you find something.

Speaker:

And we have x employees who

Speaker:

now are doing surf and doing

Speaker:

bug bounty, half the time

Speaker:

their like doing surf and

Speaker:

having a very good living and

Speaker:

it's much higher than this.

Speaker:

That's roughly the

Speaker:

salary you can expect.

Speaker:

Again, there are outliers

Speaker:

for very large companies.

Speaker:

Yeah, those are good numbers,

Speaker:

especially, if you mentioned

Speaker:

entry level to very senior.

Speaker:

So it's a pretty big gap.

Speaker:

But I think in IT, and any field,

Speaker:

with experience I think we're

Speaker:

dually paid for what we do,

Speaker:

and I think organizations are

Speaker:

starting to see the real value

Speaker:

of IT professionals, especially

Speaker:

in the security business.

Speaker:

Again we wanna encourage more folks

Speaker:

to get into the security space.

Speaker:

Absolutely.

Speaker:

Yes.

Speaker:

So it leads me to my last

Speaker:

question, my last point.

Speaker:

But you mentioned earlier

Speaker:

you were a lecturer in

Speaker:

universities and schools.

Speaker:

This is my opinion, and

Speaker:

I'd like to get yours.

Speaker:

I think we're not devoting or

Speaker:

dedicating enough education

Speaker:

at the lower levels of school,

Speaker:

of the institutions to start

Speaker:

putting this into the children's

Speaker:

curriculum at some level.

Speaker:

I think cybersecurity, maybe

Speaker:

not necessarily cybersecurity

Speaker:

but security in general about

Speaker:

the digital security, I think

Speaker:

needs to be employed more in

Speaker:

the educational institutions.

Speaker:

You lived there.

Speaker:

You obviously spent some

Speaker:

time there lecturing.

Speaker:

What's your opinion about that

Speaker:

and what can we do better to get

Speaker:

more into the educational system?

Speaker:

It's a very interesting thought.

Speaker:

I'll try to break it

Speaker:

in sub categories.

Speaker:

So I was very impressed

Speaker:

about what people learn in

Speaker:

primary and high school now.

Speaker:

There are programming

Speaker:

classes and robotics classes.

Speaker:

It's mostly entry level, but

Speaker:

being familiar with programming

Speaker:

languages, is the cornerstone

Speaker:

of IT security to be able

Speaker:

to craft your own systems.

Speaker:

So in order to have very qualified

Speaker:

internet citizens giving them

Speaker:

their skills early is a very good

Speaker:

thing, and this is fairly recent.

Speaker:

We have yet to see what's gonna be

Speaker:

the impact later on because those

Speaker:

people who are in high school,

Speaker:

they're not on the market yet.

Speaker:

But I know there's a really

Speaker:

big increase into, giving

Speaker:

these types of training in

Speaker:

robotics and programming.

Speaker:

The people will play with

Speaker:

arduinos and Raspberry Pi at

Speaker:

the very early age, and I think

Speaker:

this is a really exciting.

Speaker:

It will change the

Speaker:

market in a few years.

Speaker:

Interesting perspective

Speaker:

As for security,

Speaker:

there are twofolds.

Speaker:

I've been asked several times

Speaker:

to give classes for privacy

Speaker:

and intimate picture exchange

Speaker:

because in high school

Speaker:

that's a problem oftentimes.

Speaker:

But it's more about

Speaker:

privacy and awareness.

Speaker:

So it's not very technical.

Speaker:

It's more about be mindful

Speaker:

of what you're doing, privacy

Speaker:

online and these type of things,

Speaker:

but it's something I'm asked

Speaker:

a few times a year already and

Speaker:

believe me, the kids are smart.

Speaker:

It's a little bit awkward at

Speaker:

first, it's an intimate subject,

Speaker:

but the students are interested

Speaker:

and they ask smart questions

Speaker:

and they understand really well.

Speaker:

I think it would be a mistake

Speaker:

to underestimate their

Speaker:

interest and their capacity

Speaker:

to learn in that regard.

Speaker:

But turning them in security at

Speaker:

some point, I feel that security is

Speaker:

amazing, but we don't want to scare

Speaker:

people into dealing with all these

Speaker:

amazing technology and programming

Speaker:

and the web and making queries.

Speaker:

So I think while there should be

Speaker:

more awareness and more than just

Speaker:

have a good password and have your

Speaker:

patches on, but more about, what

Speaker:

phishing looks like and what to do

Speaker:

when you have phishing or what's

Speaker:

important not to run as admin.

Speaker:

Like more targeted advice, I think.

Speaker:

At least let the kids be kids

Speaker:

and perhaps wait a little bit

Speaker:

longer into giving the internet

Speaker:

scary part, just, I think we

Speaker:

can wait a bit but give them

Speaker:

IT training and that's what

Speaker:

they're doing in high school

Speaker:

and I'm very happy about this.

Speaker:

Yeah, I like that.

Speaker:

I like that.

Speaker:

I never looked at it

Speaker:

in that perspective.

Speaker:

So the IT training is

Speaker:

the foundation and not

Speaker:

necessarily have to give them

Speaker:

all the ugly, scary stuff.

Speaker:

Correct.

Speaker:

That's my opinion.

Speaker:

Okay.

Speaker:

No.

Speaker:

Interesting.

Speaker:

But you're right.

Speaker:

I think if we give them the

Speaker:

fundamentals of understanding

Speaker:

to at least, why IT is

Speaker:

important, how it enables

Speaker:

them in their everyday life.

Speaker:

But I think there's the aspect

Speaker:

of privacy, which I think,

Speaker:

without having to get too

Speaker:

technical, like you mentioned.

Speaker:

If you're describing the risks

Speaker:

of not being private or giving

Speaker:

too much information out there,

Speaker:

I think that alone, without

Speaker:

having to get too technical,

Speaker:

should put some thought into

Speaker:

their brain about, keeping

Speaker:

some information to themselves.

Speaker:

Cause I think that's where-

Speaker:

interesting threat models,

Speaker:

like one of the threat

Speaker:

model is their parent.

Speaker:

When you ask questions, when

Speaker:

we think about privacy, you and

Speaker:

I, we think about online ads.

Speaker:

We think about,

Speaker:

these type of things.

Speaker:

But they have a very real

Speaker:

business threat model.

Speaker:

Their parents and their

Speaker:

teachers . So when you're

Speaker:

thinking about this, it gets

Speaker:

really interesting, really fast.

Speaker:

If you can have a talk

Speaker:

with a 12 or 13 years old

Speaker:

about their privacy model.

Speaker:

It's interesting.

Speaker:

It really is.

Speaker:

Yeah.

Speaker:

You've definitely put some things

Speaker:

into my brain today about that.

Speaker:

I appreciate that.

Speaker:

Laurent, is there anything you

Speaker:

wanna share before we go here?

Speaker:

Because I really wanna

Speaker:

respect your time.

Speaker:

is there anything you wanna

Speaker:

say about ethical hacking?

Speaker:

What you would recommend if

Speaker:

someone wants to get started,

Speaker:

what you need to get started?

Speaker:

Ethical hacking has two sites.

Speaker:

There's oftentimes what we call

Speaker:

the AppSec and the networking site.

Speaker:

If you want to break into

Speaker:

AppSec, there's this amazing

Speaker:

book called The Web Application

Speaker:

Hacker Handbook Second Edition.

Speaker:

That for me, is the most

Speaker:

amazing book about AppSec.

Speaker:

It's hands-on, you can try it on.

Speaker:

It's really something I can

Speaker:

strongly advise you to read, and

Speaker:

I know it's counterintuitive or

Speaker:

now in 2023 and I'm saying read a

Speaker:

book, but it's a very good book.

Speaker:

Also, there's a website that is

Speaker:

free as well called PortSwigger

Speaker:

Academy, where you can try

Speaker:

lots of these attacks and you

Speaker:

always have three level, like

Speaker:

easy, medium, and difficult.

Speaker:

And the difficult

Speaker:

challenges are difficult.

Speaker:

So, you need to have

Speaker:

your thinking cap on.

Speaker:

It's a pretty difficult challenge.

Speaker:

So these two things, somebody

Speaker:

who went through the whole

Speaker:

PortSwigger Academy application,

Speaker:

for me, somebody I would certainly

Speaker:

consider hiring that's for

Speaker:

sure on the networking side.

Speaker:

There are websites like Hack the

Speaker:

Box that you might wanna try.

Speaker:

The O S C P really cannot

Speaker:

recommend it enough,

Speaker:

although it's a bit costly.

Speaker:

And yeah, that's pretty much what

Speaker:

I would recommend to start into a

Speaker:

computer security and find mentors.

Speaker:

Reach out to me, reach out

Speaker:

to you, Luigi, if you, , I

Speaker:

put you on the spot.

Speaker:

Sorry.

Speaker:

But

Speaker:

, No, no problem.

Speaker:

If you're willing, I think

Speaker:

reaching out to seniors people

Speaker:

who know who've done it before.

Speaker:

If I may I have a little

Speaker:

anecdote for one minute.

Speaker:

Please.

Speaker:

Go ahead.

Speaker:

How I got into computer

Speaker:

security is interesting.

Speaker:

When I was in high school,

Speaker:

you need to pick what you

Speaker:

want to do, and I knew I

Speaker:

wanted to break into systems.

Speaker:

I didn't know that it was a job

Speaker:

at that point, and I wanted to

Speaker:

talk with people, but didn't

Speaker:

have any contacts in that field.

Speaker:

Keep in mind, early 1990s,

Speaker:

there were no certifications,

Speaker:

there was nothing.

Speaker:

So the CISSP certification

Speaker:

had just started and

Speaker:

the list was public.

Speaker:

There were eight people

Speaker:

who were CISSPs in Canada.

Speaker:

As a young kid, who barely

Speaker:

spoke English, I called

Speaker:

these eight numbers saying,

Speaker:

Hey, I wanna do hacking.

Speaker:

What do I do next?

Speaker:

And I got ignored by

Speaker:

seven out of them.

Speaker:

But one person answered.

Speaker:

And that person, his name is Robert

Speaker:

G, sadly, he's deceased right now.

Speaker:

And he was the CSO of

Speaker:

the bank of Montreal.

Speaker:

So this guy took two hours with

Speaker:

me and just to walk me through

Speaker:

the steps of what I should

Speaker:

do, should I do certification,

Speaker:

should I go to university?

Speaker:

And it was really worth it.

Speaker:

And the reason why I'm in

Speaker:

computer security, to be

Speaker:

truthful, is thanks to him.

Speaker:

If we can have that influence

Speaker:

over other people who want to

Speaker:

break into that field, I think

Speaker:

we have a responsibility to do.

Speaker:

That's amazing story.

Speaker:

Very nice to hear.

Speaker:

So there was eight CISSPs in

Speaker:

the early nineties in Quebec.

Speaker:

Wow.

Speaker:

And how many would you

Speaker:

say, roughly in Canada?

Speaker:

In Canada?

Speaker:

How many are there today, roughly?

Speaker:

I don't, now it's public,

Speaker:

but I'd say roughly.

Speaker:

Perhaps 10,000.

Speaker:

20,000.

Speaker:

Oh wow.

Speaker:

That many Wow.

Speaker:

Shows how the industry's grown.

Speaker:

Interesting.

Speaker:

Laurent, that was a great story.

Speaker:

Appreciate that.

Speaker:

And you know what, if we can

Speaker:

definitely be mentors to some of

Speaker:

the younger folks out there, I

Speaker:

would definitely, welcome that.

Speaker:

Laurent, you've been

Speaker:

an amazing guest.

Speaker:

Keep doing what you're doing.

Speaker:

I know you're protecting

Speaker:

companies on a daily basis and

Speaker:

GoSecure is lucky to have you.

Speaker:

So I want to thank you again for

Speaker:

joining us on the podcast and

Speaker:

we will be in touch very soon..

Speaker:

Thank you so much.

Speaker:

All right, Lauren.

Speaker:

Have a great day.

Speaker:

Thanks.

Speaker:

Bye.

Speaker:

Thank you.

Links

Chapters

Video

More from YouTube